The World According To Vissie

sudo apt-get install openssh-server openssh-client

https://www.howtogeek.com/428413/what-is-reverse-ssh-tunneling-and-how-to-use-it/

start:

/usr/bin/ssh -R 19999:localhost:22 vissie@hosta.vis.ac

connect:

ssh -p19999 root@localhost

vim /etc/systemd/system/ssh_remote.service

[Unit]                                                                                                                                                        
Description=SSH Tunnel
After=network.target

[Service]
Restart=always
RestartSec=20
User=vissie
ExecStart=/usr/bin/ssh -p1234  -NT -o ServerAliveInterval=60 -R 999:localhost:22 user@remote.com

[Install]
WantedBy=multi-user.target
</shx>

==== Configure SSHD ====
Some good strong options to consider when setting up sshd.


  vim /etc/ssh/sshd_config
<sxh bash; gutter: false>
...
Protocol 2

ClientAliveInterval 900
ClientAliveCountMax 3

MaxAuthTries 3

IgnoreRhosts yes
HostbasedAuthentication no
PermitEmptyPasswords no

UsePrivilegeSeparation yes
StrcitModes yes
UsePam yes

AllowUsers user1 user2
PermitRootLogin no
PermitEmptyPasswords no

X11Forwarding no
...

If you get:

# ssh-copy-id root@192.168.1.11

/usr/bin/ssh-copy-id: ERROR: No identities found Solution: You will have to manually define the path of the public key using -i switch as shown below

ssh-copy-id -i .ssh/id_rsa.pub 192.168.1.11

You can tehn create a alias to use that key in your bash.bashrc file

alias name='ssh -i ~/.ssh/some_other.key my.host.com

https://openelec.tv/documentation/configuration/ssh-public-keys

ssh-keygen
scp -P 22 ~/.ssh/id_rsa.pub username@198.168.1.122:~/Downloads/id_rsa_localbox.pub

on the remote end:

cat ~/Downloads/id_rsa_localbox.pub >> ~/.ssh/authorized_keys

If you are a Gnome user, this is possible in Nautilus as well.

Instead of

fish://username@192.168.1.20

you have to enter

ssh://username@192.168.1.20

in the address bar – protocol is ssh: instead of fish:.

or you could try sshfs http://fuse.sourceforge.net/sshfs.html

Before attempting to mount a directory, make sure the file permissions on the target directory allow your user correct access. To mount, invoke sshfs to mount a remote directory:

sshfs USERNAME@HOSTNAME_OR_IP:/REMOTE_PATH LOCAL_MOUNT_POINT SSH_OPTIONS

For example:

sshfs sessy@mycomputer:/remote/path /local/path -C -p 9876 -o allow_other

Where -p 9876 stands for the port number, -C use compression and -o allow_other to allow non-rooted users have read/write access.

http://askubuntu.com/questions/179889/how-do-i-set-up-an-email-alert-when-a-ssh-login-is-successful

First you need to be able to send mail from the command line. There are other questions about this. On a mail server it's probably easiest to install mailx (which is probably already installed anyway).

Mail

Then you need an executable script file login-notify.sh (I put it in /etc/ssh/ for example) with the following content. You can change the variables to change the subject and content of the e-mail notification.

vim /etc/ssh/login-notify.sh

#!/bin/bash

# Change these two lines:
sender="sender-address@example.com"
recepient="notify-address@example.org"

if [ "$PAM_TYPE" != "close_session" ]; then
    host="`hostname`"
    subject="SSH Login: $PAM_USER from $PAM_RHOST on $host"
    # Message to send, e.g. the current environment variables.
    message="`env`"
    echo "$message" | mailx -a "From: Foo Bar <$sender>" -s "$subject" "$recepient"
fi

chmod +x login-notify.sh

Once you have that, you can add the following line to /etc/pam.d/sshd:

session optional pam_exec.so seteuid /path/to/login-notify.sh

For testing purposes, the module is included as optional, so that you can still log in if the execution fails. After you made sure that it works, you can change optional to required. Then login won't be possible unless the execution of your hook script is successful (if that is what you want).

The first step is to create the key pair on the client machine (there is a good chance that this will just be your computer):

ssh-keygen -t rsa

You can copy the public key into the new machine's authorized_keys file with the ssh-copy-id command. Make sure to replace the example username and IP address below.

ssh-copy-id -p22 user@123.45.56.78

https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-14-04

https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04

sudo apt-get install libpam-google-authenticator

Next, execute google-authenticator as the user you want to protect with MFA:

google-authenticator

There are a number of questions to answer, but generally speaking y will be a good choice for all of them. A configuration file is then written to ~/.google-authenticator.

Next, root needs to enable Google Authenticator in PAM. Add this to your auth list in /etc/pam.d/sshd:

Next up, open your SSH configuration file /etc/ssh/sshd_config

vim /etc/ssh/sshd_config

 ChallengeResponseAuthentication no
 (change it to)
 ChallengeResponseAuthentication yes
and add
 AuthenticationMethods publickey,keyboard-interactive

vim /etc/pam.d/sshd

  #@include common-auth
and add google-authenticator
  auth required pam_google_authenticator.so

/etc/init.d/ssh restart

yay -S libpam-google-authenticator
google-authenticator

vim /etc/pam.d/sshd

vim /etc/pam.d/sshd

#%PAM-1.0
#auth     required  pam_securetty.so     #disable remote root
auth      include   system-remote-login
account   include   system-remote-login
password  include   system-remote-login
session   include   system-remote-login
auth      required  pam_google_authenticator.so

Next up, open your SSH configuration file /etc/ssh/sshd_config

vim /etc/ssh/sshd_config

 ChallengeResponseAuthentication no
 (change it to)
 ChallengeResponseAuthentication yes

vim /etc/pam.d/sshd

auth	  required  pam_unix.so
auth	  required  pam_google_authenticator.so
auth	  required  pam_env.so

sudo systemctl restart sshd

Happy days…

https://www.vultr.com/docs/how-to-setup-two-factor-authentication-for-ssh-on-centos-6-using-google-authenticator

sudo yum install pam pam-devel google-authenticator

—- to contunue one day —–

google-authenticator

vim /etc/pam.d/sshd

#auth     required  pam_securetty.so     #disable remote root
auth	  required  pam_unix.so
auth	  required  pam_google_authenticator.so
auth	  required  pam_env.so

Next up, open your SSH configuration file /etc/ssh/sshd_config vim /etc/ssh/sshd_config

 ChallengeResponseAuthentication no
 (change it to)
 ChallengeResponseAuthentication yes

vim /etc/pam.d/sshd

auth	  required  pam_unix.so
auth	  required  pam_google_authenticator.so
auth	  required  pam_env.so

sudo systemctl restart sshd

Happy days…

The ProxyJump, or the -J flag, was introduced in ssh version 7.3. To use it, specify the bastion host to connect through after the -J flag, plus the remote host:

ssh -J <bastion-host> <remote-host>

You can also set specific usernames and ports if they differ between the hosts:

ssh -J user@<bastion:port> <user@remote:port>

The ssh man (or manual) page (man ssh) notes that multiple, comma-separated hostnames can be specified to jump through a series of hosts:

ssh -J <bastion1>,<bastion2> <remote>

The -J flag provides flexibiltiy for easily specifying proxy and remote hosts as needed, but if a specific bastion host is regularly used to connect to a specific remote host, the ProxyJump configuration can be set in ~/.ssh/config to automatically make the connection to the bastion en-route to the remote host:

### The Bastion Host
Host bastion-host-nickname
  HostName bastion-hostname

### The Remote Host
Host remote-host-nickname
  HostName remote-hostname
  ProxyJump bastion-host-nickname
Using the example configuration above, when an ssh connection is made like so:

ssh remote-host-nickname

ssh -R 5901:localhost:5901 -p 1234 remote.server.com

I like to think of it this way:

ssh -R 7000:localhost:5901 -p 1234 remote.server.com

Remote port 7000 will be created from localhost on port 5901 into remote server that has ssh on 1234

vim ./port_forward.sh

#!/bin/bash
## for kvm setups
#ssh -p1234 myserver.ip.add -L 5901:127.0.0.1:5901

# For my IP cameras https://127.0.0.1:5000/
#ssh -L 5001:192.168.1.22:443 sshservername
# For my IP cameras https://127.0.0.1:5000/
ssh -L 5000:192.168.1.23:80 sshservername 

# For zmninja
#ssh -L 5000:192.168.1.2:1234 sshservername

# My Router
#ssh -L 5000:192.168.1.1:80 sshservername